I am having trouble creating certificates in Caddy. The goal is to obtain a single certificate and a wildcard certificate for:
dev.example.com
*.dev.example.com
I can see in both the Caddy logs and the KAS that two TXT records are being created. In fact, both TXT records are created with the same name, which according to my research is correct and should not cause any issues:
"record_name": "_acme-challenge.dev"
As far as I can tell from the logs, the problem occurs when the TXT records are deleted during challenge cleanup. In the code, only the record_name is used for the lookup, and the first matching record is deleted arbitrarily.
|
func (p *Provider) DeleteRecord(ctx context.Context, zone string, record libdns.Record) ([]libdns.Record, error) { |
|
searchedRecord, err := p.getRecordByName(ctx, zone, record, false) |
|
func (p *Provider) getRecordByName(ctx context.Context, zone string, record libdns.Record, recursive bool) (allinklRecord, error) { |
|
|
|
for _, crecord := range ChachedRecords[zone] { |
|
if crecord.Name == record.RR().Name { |
|
return crecord, nil |
|
} |
|
} |
This appears to result in the wrong TXT record being deleted. Consequently, the ACME client in Caddy gets confused and throws the following error:
During secondary validation: Incorrect TXT record "etgAOIztlZl_6u_DP4eUbV5tzKYleBVo1DOaeM8u4-Q" found at _acme-challenge.dev.example.com
This TXT record should actually have been deleted, but it was not because the wrong record was removed instead.
How a solution could maybe look like:
Instead of searching for records only by record.name, the search should compare all fields if possible (at least data and type). This would allow the correct record to be identified and deleted unambiguously.
I am having trouble creating certificates in Caddy. The goal is to obtain a single certificate and a wildcard certificate for:
dev.example.com
*.dev.example.com
I can see in both the Caddy logs and the KAS that two TXT records are being created. In fact, both TXT records are created with the same name, which according to my research is correct and should not cause any issues:
"record_name": "_acme-challenge.dev"As far as I can tell from the logs, the problem occurs when the TXT records are deleted during challenge cleanup. In the code, only the record_name is used for the lookup, and the first matching record is deleted arbitrarily.
all-inkl/client.go
Lines 449 to 450 in e850d95
all-inkl/client.go
Lines 326 to 332 in e850d95
This appears to result in the wrong TXT record being deleted. Consequently, the ACME client in Caddy gets confused and throws the following error:
During secondary validation: Incorrect TXT record "etgAOIztlZl_6u_DP4eUbV5tzKYleBVo1DOaeM8u4-Q" found at _acme-challenge.dev.example.comThis TXT record should actually have been deleted, but it was not because the wrong record was removed instead.
How a solution could maybe look like:
Instead of searching for records only by record.name, the search should compare all fields if possible (at least data and type). This would allow the correct record to be identified and deleted unambiguously.